petersweb-infra/nixos/firewall.nix
Philip Peterson 097e3a312f Move KDE desktop to host; container becomes noVNC proxy only
The vnc-desktop container no longer runs a desktop environment. KDE Plasma
and Xvnc now run directly on the host via a vnc-kde systemd service, with
port 5901 firewalled to the podman bridge subnet only. The container is
reduced to a websockify bridge forwarding the noVNC web UI to hetzner-host:5901.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-01 03:13:20 -07:00

25 lines
708 B
Nix

{pkgs, ...}: {
networking.firewall.allowedTCPPorts = [
80 #nginx/http
22 #ssh
222 #ubuntu vm ssh
443 #ssl
2200 #forgejo ssh
3000 #forgejo http
8082 #webdav
8087 #nextcloud
9090 #sync.io
];
# Allow DNS from all podman bridge networks (10.89.0.0/16).
# NixOS auto-adds a rule for podman0 but not for networks created by
# docker-compose/arion (podman1, podman2, podman3…).
networking.firewall.extraCommands = ''
iptables -I nixos-fw -s 10.89.0.0/16 -p udp --dport 53 -j nixos-fw-accept
iptables -I nixos-fw -s 10.89.0.0/16 -p tcp --dport 53 -j nixos-fw-accept
iptables -I nixos-fw -s 10.89.0.0/16 -p tcp --dport 5901 -j nixos-fw-accept
'';
}